x0rz @x0rz@mastodon.social

Tweets are automatically forwarded from https://twitter.com/x0rz

To be up against such threats you need a perfect IT knowledge of your network, state-of-art admin practices, up to date software, EDR deployed, detection capability, SOC w/ good people, etc. Nobody has everything everywhere. There will always be a chance for attacks to succeed.

If you often work on HTTP logs (IR analysis or threat detection), this teler tool could be handy https://github.com/kitabisa/teler

This is really cool, Twitter showing this warning now on certain tweets showing data obtained illegally https://help.twitter.com/en/rules-and-policies/hacked-materials https://t.co/XLHd7MMVfp

If Elon Musk and Jeff Bezos could start investing money into what we already have (ie. planet earth) instead of super-rich-dudes mars projects, that would be cool.

BiTcOIn Is tHe FuTUrE https://twitter.com/cstross/status/1361328597366157318

Sandworm campaign targeting Centreon systems - @CERT_FR https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf (PDF) #threatintel #sandworm

Looks like a bad signature matching some high-entropy (compressed/random) file :(

#JustRansomwareThings https://t.co/08cJJbzCnx

Also, this is eerily similar to the shadowbrokers stuff.

#SolarLeaks updated their post, it contains a mysterious hash as proof 25b23446e6c29a8a1a0aac37fc3b65543fae4a7a385ac88dc3a5a3b1f42e6a9e. A message for someone?

> Use @signalapp or @olvid_io

If you need Sandstorm to begin 2021 with https://sandstorm.lol/ #HappyNewYear

Logging in to an old BTC account and realize I have 0.2 left. Feels good man. https://t.co/VQZG1k1wr4

Never mind, it's just the public certificate (most probably). I got confused with the FEYE comment "Used to sign samples".

Also, does this mean anyone with VT access can just download it and sign binaries as SolarWinds?! Probably revoked by now... but wtf?

Is it normal to find a legitimate SolarWinds code-signing certificate, visible on VT since late 2019? 439bcd0a17d53837bc29fb51c0abd9d52a747227f97133f8ad794d9cc0ef191e (according to https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_Hashes.csv)

The Russian Federation is not considered a "nation-state". So if you're going to attribute cyberattacks to Russia (or any state), please don't say "nation-state cyberattacks". The term "government-backed attacks" is probably best suited for most cases. https://en.wikipedia.org/wiki/Nation_state#In_practice

Note: that was probably not the entry point considering the binaries were signed.

SolarWinds is actually a very cool name to talk about supply chain attacks https://t.co/ekExYPXh6G

Does APT29 really need to hack FireEye in order to get tools exploiting known vulns and some custom Cobalt Strike-like beacons? This was either opportunistic or a side-effect on their way to the real goods (ie. intelligence FEYE had on them). My 2 cents.